The Process of Provisioning PCs with

Intel® vPro™ Technology

White Paper

August 15, 2008

© 2007 Altiris Inc. All rights reserved.

ABOUT ALTIRIS Altiris, Inc. is a pioneer of IT lifecycle management software that
allows IT organizations to easily manage desktops, notebooks,
thin clients, handhelds, industry-standard servers, and
heterogeneous software including Windows, Linux, and UNIX. Altiris automates
and simplifies IT projects throughout the life of an asset to reduce the cost and
complexity of management. Altiris client and mobile, serv er, and asset
management solutions natively integrate via a common Web -based console and
repository. For more information, visit www.altiris.com.

NOTICE

INFORMATION IN THIS DOCUMENT : (I) IS PROVIDED FOR INFOR MATIONAL PURPOSE S ONLY WITH RESPECT TO PRODUCTS OF
ALTIRIS OR IT S SUBSIDIARIES (“PRODUCTS”), (II) REPRESENTS ALT IRIS‟ VIEWS AS OF THE DATE OF PUBLICATION OF THIS
DOCUMENT, (III) IS SUBJECT TO C HANGE WITHOUT NOTICE, AND (IV) SHOULD NOT BE CONSTRUED AS ANY C OMMITME NT BY
ALTIRIS. EXCE PT AS PROVIDED IN ALTIRIS‟ LICE NSE AGREEMENT GOVERNING ANY PRODUCTS OF ALTIRIS OR ITS
SUBSIDIAR IES (“PRODUCTS”), ALTIRIS ASSUMES NO LIABILITY WHATSOEVER, AND DISCLAIMS ANY EXPRESS OR IMPLIED
WARRANTIES RELATING TO THE USE OF ANY P RODUCTS, INCLUDING WITHOUT LIMITAT ION, WARRANTIES OF FITNESS FOR A
PARTICULAR PURPOSE, MERCHANT ABILITY, OR INFRINGEMENT OF ANY THIRD PARTY INTELLECTUAL PROPERTY RIGHTS.
ALTIRIS ASSUMES NO RESPONSIBILITY FOR ANY ERRORS OR OMISSIONS C ONT AINED IN THIS DOCUMEN T AND ALTIRIS
SPECIFICALLY DISCL AIMS ANY AND ALL LIABILITIES AND/OR OBLIG ATIONS FOR ANY CLAIMS, SUIT S OR DAMAGES ARISING
FROM OR IN C ONNECTION WITH THE USE OF, RELIANCE UPON OR DISSEMINATION OFTHIS DOCUMENT AND/OR THE
INFORMATION CONTAINED HEREIN.

Al ti ri s may have patents or pendi ng patent appli cati ons, trademarks, copyri ghts, or other i ntell ectual prope rty ri ghts that
rel ate to the Products referenced herei n. The furni shi ng of thi s document and other materi al s and i nformati on does not provi d e
any li cense, express or i mpli ed, by estoppel or otherwi se, to any fore goi ng i ntell ectual property ri ghts.

No part of thi s document may be reproduced, st ored i n a retri eval system, or transmi tted in any form or by any means wi thout
the express wri tten consent of Al ti ri s, Inc.

Customers are sol ely responsi bl e for asse ssi ng the sui tabili ty of the Products for use i n parti cul ar applicati ons. Produ cts a re
not i ntended for use i n medi cal , life savi ng, li fe sustai ni ng, cri ti cal control or safety systems, or i n nucl ear faci li ty appli cati ons.

Copyri ght © 2008, Al ti ri s, Inc. All ri ghts reserved.

Al ti ri s, Inc.
588 West 400 South
Li ndon, UT 84042

Phone: (801) 226-8500

Fax: (801) 226-8506

*Other company names or product s menti oned are or may be tradem arks of thei r respecti v e owners.

Informati on in thi s document i s subject to change wi thout noti ce. For the l atest documentati on, vi si t www.al ti ri s.com .

www.altiris.com
CONTENTS Introduction .............................................................. 1
Terminology................................................................. 1
Acronyms .................................................................... 2
Introduction to Intel AMT ........................................... 3
Overview of Out-of-Band Communication .................... 4
In-Band Communication .............................................. 4
Out-of-Band Communication ........................................ 5
Overview of Provisioning ............................................ 6
Flexible Provisioning ................................................... 6
Provisioning Is a Two-Step Process ............................... 6
After provisioning: OOB Discovery of the PC ................... 7
Why is AMT Setup and Configuration Important? ............. 7
Remote, Centralized Management of the PC ................. 7
Access to AMT Features Depends on Setup and Configuration 7
Customize the Client Configuration Profile ................... 8
Choose Initial Security during Setup and Configuration .. 8
Provisioning Models and Processes ............................. 9
Intel AMT Supports Three Provisioning Models................. 9
Enterprise versus Small Business Mode ....................... 9
Intel AMT Supports Three Setup Processes ................... 10
OEM Can Pre-Provision AMT ....................................... 11
Provisioning Flow .................................................... 12
Stage 1: Factory-Default State ................................... 12
Setting up Initial Security Credentials ....................... 13
Automated Setup Process ........................................ 13
Stage 2: Setup and Ready to Be Configured ................. 14
Loading the Configuration Profile .............................. 14
Automated Configuration Process ............................. 14
Stage 3: Configured and Ready for Integration ............. 15
Unprovisioning and Re-provisioning ............................. 15
Provisioning Considerations ..................................... 16
Remote Setup .......................................................... 17
Microsoft Certificate Authority is Required ................. 17
Remote Configuration Process .................................. 17
Scripting for Remote Configuration ........................... 17
Delayed Provisioning and Reinitializing the Hello Packets18
USB-Key Setup ........................................................ 18
USB Key Requirements ........................................... 18
Re-Provisioning via USB Key .................................... 19
Manual Setup .......................................................... 19

www.altiris.com
 MEBx Parameters and Settings ................................... 19
Unprovisioning and Re-provisioning ............................. 21
Unprovisioning Intel AMT ........................................ 22
Re-provisioning Intel AMT ....................................... 22
Dependencies for Provisioning.................................. 23
Criteria Needed for Successful Provisioning .................. 23
Optimal Conditions for Provisioning ............................. 23
Infrastructure Dependencies for Provisioning ................ 24
DHCP/DNS/IP (Required) ........................................ 24
DHCP Server ...................................................... 24
DNS Server ........................................................ 24
Firewall/Router Ports .............................................. 25
Database Server Integration .................................... 25
SCS (Required) ..................................................... 25
SCS and Active Directory (Kerberos) ...................... 26
Key Elements of SCS ........................................... 26
Adding Device Information to the SCS Database ....... 26
Certificate Authority (Optional) ................................ 27
Remote Configuration Certificates ............................ 28
Server Authentication Certificates .......................... 28
Client Authentication Certificates ........................... 28
Wildcard Certificates ............................................ 29
Default HP Certificate Hashes ................................ 29
Active Directory (Optional) ...................................... 29
Support for Kerberos Authentication and 802.1x ....... 29
Active Directory Provisioning ................................. 29
SCS and Active Directory Tasks and Permissions ...... 30
Extending the Active Directory Schema ................... 30
Integrating SCS with Active Directory ..................... 31
Active Directory Hotfixes ...................................... 31
Security ................................................................... 32
Key Questions to Consider ......................................... 32
Security during Provisioning ....................................... 32
Security in Enterprise Mode vs. SMB Mode.................... 33
Security Methodologies and Technologies ..................... 33
Admin Username and Password ................................ 33
TLS Encryption ...................................................... 34
TLS Requirements ............................................... 34
How It Works ..................................................... 34
TLS Encryption and Mutual Authentication ............... 35
TLS, Altiris, and Redirection Traffic ........................ 35
Mutual Authentication ............................................. 35
Active Directory (Kerberos Authentication)................. 36
802.1X authentication profiles ................................. 36
Access Control Lists (ACLs) ..................................... 36

www.altiris.com
 Securing the Management Console .............................. 37
Sample Integration Procedures ................................ 39
Procedure 1: Provisioning Using a USB Key ................. 39
Procedure 2: Remote Configuration ............................ 42
Step 1: Enable Remote Configuration ........................ 42
Step 2: Create a Configuration Profile ....................... 43
Step 3: Synchronize Resources ................................ 44
Step 4: Prepare the Altiris Real-Time Console Infrastructure (RTCI) profile 45
Step 5: Install the Remote Configuration Certificate .... 49
Import the Certificate to the Local Computer Certificate Store 50
Examine the Remote Configuration Provisioning Certificate 52
Finish Installing the Certificate .............................. 55
Complete and Monitor the Provisioning Process ........ 57
Procedure 3: Unprovisioning Intel AMT (Two Methods) .. 58
Method 1: Unprovision Intel AMT on the PC ............... 58
Clean Up the Management Domain ........................... 60
Method 2: Unprovision in Preparation for Reprovisioning Using Activator
Utility .................................................................. 61
Procedure 4: Active Directory Extension through Altiris . 62
Step 1: Extend the AD Schema ................................ 62
Step 2: Configure Kerberos ..................................... 65
Step 3: Create Kerberos Profile ................................ 66
Procedure 5: Setting up TLS Certificates ..................... 71
Step 1: Set up the Certificate .................................. 71
Step 2: Verify that the Provisioning Service Is Requesting Certificates 74
For More Information ............................................... 76

www.altiris.com
INTRODUCTION
This document explains the theory behind provi sioning and how the provisioning
process with PCs with Intel ® Core™2 processor with vPro™ technology (PCs with
Intel ® vPro™ technology) and Intel ® Active Management Technology (Intel ®
AMT) works in conjunction with Altiris.

Terminology
Note that during provisioning:

A PC with Intel vPro technology includes many hardware and firmware

elements, including the Intel ® Management Engine.
The Intel ® Management Engine is a firmware module that includes Intel
AMT (in other words, Intel AMT is part of the Intel Mana gement Engine).
One of the functions of the Intel Management Engine is to communicate with
the provisioning server to help configure Intel AMT for your network and
service environment.
Intel AMT is a set of hardware-based remote-management and security
capabilities designed into the PC with Intel vPro technology.
MEBx (Intel Management Engine BIOS extension) is a set of screens and/or
parameters (accessed through BIOS), which specify the settings for Intel
AMT features.
The “host” is the PC‟s operating system (OS). Intel AMT is not the host;
however, the Intel AMT machine name is usually set to the same name as
the host OS.
The “client” as an endpoint -- At a high level, IT managers usually use
the term “client” to refer to the endpoint, or PC. The hardware-based
features of Intel AMT are not the client. The client is the PC with Intel vPro
technology.
The “client” during encryption and authentication -- At a low level,
during authentication processes, the term “client” has a slightly different
meaning. Technically, during TLS encryption and mutual authentication
between Intel AMT and the server, because of the direction of authentication
requests and responses, the PC with Intel AMT temporarily becomes the
“server” and the Provision Server becomes the “client.” This explains why,
some of the more detailed descriptions of authentication refer to client -
signed certificates for the Provision Server and server-signed certificates for
Intel AMT.

www.altiris.com The Process of Provisioning > 1

Acronyms
This document uses the following acronyms:

AD Microsoft Active Directory (Kerberos)

API Application programming interface
CA Certificate Authority
DHCP Dynamic host configuration protocol
DNS Domain name server
FQDN Fully qualified domain name
HTTP Hyperttext Transfer Protocol
Intel AMT Intel Active Management Technology
ICT in-circuit test tool
IP Internet protocol
ISV Independent software vendor, such as Symantec (Altiris).
IT Information technology
ME Management engine
MEBx Intel Management Engine BIOS extension
MTLS Mutual authentication
OEM Original equipment manufacturer
OID Object ID
OOB Out-of-band
OOBM Out-of-band management
OS Operating system
OTP One-time password
OU Object organizational unit
PC Personal computer
PID Provisioning ID
PKI Public key infrastructure
PPS Provisioning passphrase
PSK Pre-shared key
RCT Remote configuration tool
SCS Setup and configuration service
SMB Small- and medium-business
SOAP Simple Object Access Protocol
SQL Structured query language
TLS Transport layer security
UI User interface
USB Universal serial bus
UUID Universal unique identifier

2 < The Process of Provisioning www.altiris.com

INTRODUCTION TO INTEL AMT
Intel ® Active Management Technology (Intel ® AMT) is an integral part of PCs
that contain Intel® vPro™ technology. Intel AMT makes it easier to monitor,
maintain, repair and secure notebook and desktop PCs. Intel AMT operates
independently of the PC‟s processor and independently of the PC‟s operating
system (OS). You can use a management application, such as the Altiris Client
Management Suite (Altiris console) to access Intel AMT capabilities securely,
even when PC power is off. As long as the desktop PC is connected to a power
source or the notebook PC has AC or DC power, you can access Intel AMT.

Using Intel AMT, you can:

Discover PCs virtually anytime, by remotely accessing the PC‟s universal

unique ID, which is stored in protected, nonvolatile memory (not on the hard
drive).
Remotely diagnose and repair PCs even when the operating system is down,
including use secure remote boot, use secure console redirection, access
BIOS settings and the persistent AMT event log, and perform other critical
tasks to bring a PC back into service.
Improve patch saturation and updates by remotely and securely powering up
PCs to receive a patch or other update off-hours.
Take advantage of built-in security features, such as hardware-based filters
for network traffic and agent presence checking, which help limit the effect
of “malware,” tampering, and other malicious attacks.
For more information about Intel AMT capabilities and use cases, refer to the
Intel Web site.

www.altiris.com The Process of Provisioning > 3

OVERVIEW OF OUT-OF-BAND COMMUNICATION
An Altiris Client Management Suite (the management console) can communicat e
in two ways with a PC with Intel vPro technology. The management console can
communicate in-band to the target PC, at the OS level. This is the typical
communication method. The management console can also communicate out -of-
band (OOB) with the target PC with Intel vPro technology. This communication is
below the OS level and independent of the state of the OS. OOB communication
with Intel vPro technology is available even if the OS is down, the PC‟s power is
off, management agents are missing, or hardware (such as a hard disk) has
failed.

Provisioning a PC with Intel vPro technology (a PC with Intel AMT) refers to

setting up and configuring the Intel AMT capabilities for remote, out-of-band
management.

In-band management refers to OS-level, software-based communication

with and management of the PC. In-band management is conducted via
protocols, software agents, or applications that are hosted within the OS
environment.
Out-of-band (OOB) management (or OOBM), enhanced by Intel vPro
technology, refers to hardware-based communication. OOB allows for
interaction directly with the PC hardware upon which the OS is dependent.
Access to the hardware allows an IT technician to remotely power up a PC,
reboot a PC to a clean state even if the OS is down, and perfor m other tasks
typically unavailable through software-based communication.

In-Band Communication
In-band communication is software-based and is at the OS level. In-band
communication establishes a connection through the software stack in the PC‟s
OS.

In-band communication requires that the PC be powered up. With in-band

communication, patches and software updates can occur only when a PC is
powered up and can be accessed via the appropriate protocols, agents, or
applications.
If the security or integrity of the OS has been compromised, associated
connections may also be at risk from viruses, worms, and other threats.
A third-party management application, such as Altiris, is used to manage in-
band, software-based communication with the PC at the OS level.

The same management application, such as Altiris, can also be used to access
the out-of-band (OOB), hardware-based capabilities of Intel AMT.

4 < The Process of Provisioning www.altiris.com

Out-of-Band Communication
Out-of-band communication with Intel AMT occurs at a different level than in-
band communication. Instead of communicating through the software stack in
the OS, Intel AMT is based on the TCP/IP firmware stack designed into system
hardware. This means that Intel AMT sits “below” or outside the OS. Essentially,
communication with the Intel AMT capabilities occurs via the network data path
before communication is passed to the OS. Because communication to AMT
occurs before it reaches the OS, this communication is independent of the state
of the OS.

OOB communication with Intel AMT occurs via a secur e connection between
the management console and the Intel Management Engine (which includes
Intel AMT). Connectivity to the management engine requires authentication
of the user via an admin password, which defines the user‟s rights and
privileges.
Remote OOB access to the hardware-based capabilities of Intel AMT can
occur only through the secure connection established between the
management console and the Intel Management Engine.
Because this connectivity requires authentication, OOB communication is
more secure than in-band communication.
Because communication to Intel AMT is independent of the OS, Intel AMT is
also less vulnerable to the operation and security problems that typically
affect an OS and/or the applications installed at the OS level .
Because OOB is both secure and is independent of the OS, the connection to
Intel AMT can be used to securely and remotely manage the PC even if the
PC is not powered up. The connection is also available if the OS is down,
management agents are missing, or hardware (such as a hard drive) has
failed. For an administrator, this means patches and software updates can
be remotely loaded into an Intel vPro PC even if PC power is off at the start
of the update cycle.

www.altiris.com The Process of Provisioning > 5

OVERVIEW OF PROVISIONING
An vPro PC can be viewed as having two separate elements:

A host processor running a general purpose OS such as Microsoft* Windows

XP.
An Intel AMT device operating independently of the host. The Intel AMT
firmware executes on the Intel Management Engine (Intel® ME).
Provisioning is the process of setting up security for AMT and configuring AMT to
integrate with the configuration of the host system, including networking
configuration.

Flexible Provisioning
Intel AMT provides significant flexibility in order to meet the needs of vari ous
customer environments. This flexibility leads to a number of deci sions that have
to be made as you plan and implement your deployment of Intel AMT-enabled
systems. For example, you must decide whether to use SMB or enterprise
provisioning mode, whether to use Active Directory (Kerberos) to improve
security, and make other similar decisions.

Intel AMT supports three types of provisioning: advanced, standard, and basic,
to accommodate different IT needs for various levels of automation and different
customer environments.

Intel AMT also lets you choose different types of security for provisioning,
including certificates and keys. These and other, built -in security technologies
and methodologies (see the security discussion later in this document) are used
to secure communication with Intel AMT during provisioning.

A setup and configuration service provides the tools needed to set up and
configure Intel vPro PCs for use with the Altiris console.

Provisioning Is a Two-Step Process

Deployment is typically a four-step process: set up the configuration service,
provision (set up and configure) Intel AMT, and integrate the AMT -enabled PC
into the management console. The two provisioning steps -- setting up and
configuring Intel AMT -- are typically fully automated processes.

During setup, initial security credentials are established, as well as the initial
networking and operational parameters required to initiate configuration.

During configuration, BIOS and MEBx parameters are set to appropriate values
for your management environment. This includes loading a client configuration
profile into AMT, which tells the system which AMT features are enabled on the
PC, what authentication mechanism will be used, and which users have access to
AMT features.

After provisioning, you are ready to integrate the AMT-enabled PC into the Altiris
console.

6 < The Process of Provisioning www.altiris.com

 Note:
In this guide, the term “provisioning” is used interchangeably with
“setup and configuration.” Both terms refer to the same overall
process.

After provisioning: OOB Discovery of the PC

Once Intel AMT is configured, and your network environment is set up and
verified, you can use the Altiris console to communicate with the PC, even if the
PC is powered off. OOB communication lets you discover and integrate the PC
into the management domain even if the OS is not yet installed. This is done
through the Intel AMT feature for OOB access to the persistent universal unique
identifier (UUID) of the PC. Through Intel AMT, the PC‟s UUID is available
virtually anytime.

Once the PC has been integrated into the management domain, you can use
Altiris to access the Intel AMT capabilities and perform a remote OS and/or
application build.
Once the OS is available, you can use typical in-band management to
monitor, maintain, and manage the PC.
You can use OOB management through Intel AMT to remotely monitor,
maintain, and manage the PC in circumstances in which the OS is not
responding, management agents are missing, PC power is off, or hardware
(such as a hard drive) has failed.

Why is AMT Setup and Configuration Important?

First, you must setup and configure Intel AMT before you can access the AMT
features remotely. Setup and configuration also offer other benefits.

Remote, Centralized Management of the PC

Setup and configuration of Intel AMT allows for centralized, remote, secure OOB
management of the PC through:

A third-party management console (Altiris)

The built-in Web-UI. The Web-based interface is a useful tool that allows a)
remote management of the PC before the management console is ful ly
configured, b) verification of network communication before you try to
integrate the Intel AMT-enabled PC into the management domain, and c)
remote management for Intel vPro PCs in small - and medium-business
(SMB) configurations. .

Access to AMT Features Depends on Setup and Configuration

Intel AMT must be set up and configured before the capabilities are available to
the management console. If you do not provision Intel AMT, you cannot access
the Intel AMT features remotely.

Setup and configuration establishes:

www.altiris.com The Process of Provisioning > 7

 Security methodologies and security parameters (such as access control
lists and realms) used for accessing Intel AMT, and establishes the security
credentials that will be used to secure the initial setup and configuration
process.
Networking parameters (such as specifying DHCP or static IP) required for
communication between the management console and the target PC.
Operational parameters (such as enterprise mode versus small business
mode, or specifies certain BIOS configuration settings) requi red for
communication and management of the target PC. These can include time
and date, power-policy options, and so on.

Customize the Client Configuration Profile

The configuration profile determines which features are enabled on an Intel AMT
device, what authentication mechanism will be used, and which users have
access to device features. This allows you to customize the PC to meet customer
needs for unique network requirements, business practices, or policy
constratins, while continuing to protect the security of the PC during
provisioning and later, during remote management of the system.

Configuration profile settings typically include:

User name and password (Intel AMT administrator name)

Network settings: ping allowed, VLAN, and enabled interfaces (WebUI, SOL,
IDE-R), and TLS settings
Certificates: CA Server Name, CA Type, Certificate Template
Mutual Authentication (M-TLS, or TLK-PKI) settings
Access control list (ACL) settings: Digest or Kerberos user
Power policy settings
Each profile can be assigned to one or more Intel vPro PC.

Choose Initial Security during Setup and Configuration

You can choose the security methodology to use during provisioning ; this
security is established during AMT setup.

Using robust security during provisioning is critical in order to prevent

unauthorized access to the PC‟s Intel AMT capabilities during provisioning. For
example, the security credentials established during setup help prevent
unauthorized access to critical system information stored in Intel AMT‟s
persistent memory, and help prevent unauthorized access to powerful Intel AMT
capabilities such as remote boot, remote power-up, and remote console
redirection.

8 < The Process of Provisioning www.altiris.com

PROVISIONING MODELS AND PROCESSES
Intel AMT supports three provisioning models and three provisioning processes,
so you can choose the model and process most appropriate for your environment

Three provisioning models: advanced, standard, and basic

Three provisioning modes: remote configuration (fully automated via
certificates), USB-key (“one-touch”, via pre-shared keys), and manual (via
administrator password)

Intel AMT Supports Three Provisioning Models

Intel AMT supports three provisioning models (see Table 1). You can use the
criteria listed in Table 1 to select the model most appropriate for your
environment. For example, if you are deploying thousands of PCs in a one -to-
many model for an enterprise-level business, in a Cisco SDN-secured network,
then you should use the advanced provisioning model. If you are deploying three
or four PCs to a small business and do not have a provisioning service, you
should use the basic provisioning model.

Enterprise versus Small Business Mode

You can set up Intel AMT for use in an enterprise environment, or for use in a
small- or medium-business (SMB) environment. Typically, an SMB environment
does not use Transport Layer Security (TLS) or Microsoft Active Directory
(Kerberos).

Enterprise mode enables authentication using either Kerberos

authentication or HTTP Digest. You must use Altiris to implement Enterprise
mode. Enterprise mode requires TLS encryption to secure critical network
traffic -- such as the Intel AMT remote boot and remote power-up commands
-- between the Altiris console and the target PC. In enterprise mode, you
can set up PCs for DHCP (recommended) or static IP addressing.
SMB mode uses an administrator username and password for
authentication. The communication tunnel to the PC is secured via HTTP, but
network traffic between the Altiris console and the target PC is not
encrypted. In SMB mode, you can set up desktop PCs for DHCP
(recommended) or static IP addressing. In SMB mode, notebooks must be
set up for DHCP addressing.
This document focuses primarily on provisioning PCs in enterprise mode.

www.altiris.com The Process of Provisioning > 9

 Table 1. Three provisioning models

Capability Basic Standard Advanced

Intel AMT features All All All

available
Configuration mode SMB Enterprise Enterprise

Provisioning Manual Automated: remote Automated: remote

method via certificates or via certificates or
“one-touch” USB-key “one-touch” USB-key
Manual Manual
Provisioning service No Yes Yes

Deployment One-to-one One-to-many One-to-many

process
Required enterprise DNS and DNS and DHCP DNS and DHCP
infrastructure DHCP typical Provisioning service Provisioning service
Active Directory
integration (optional)
Certificate authority
(optional)
Authentication HTTP Digest HTTP Digest HTTP Digest
security Kerberos (optional)
Management traffic No No Digital certificates
encryption (optional)
Secure network No No 802.1X
connectivity Cisco SDN
Microsoft NAP
(notebooks only)

Active Directory No No Yes (optional)

TLS and MTLS No No Yes (optional)

support
Upgrade path No Remotely N/A
re-provision to
advanced

Intel AMT Supports Three Setup Processes

Intel AMT also supports three setup processes: remote configuration (fully
automated), one-touch USB-key configuration, and manual configuration.

The processes vary based on how the initial Intel AMT security credentials,
networking parameters, and operational parameters are entered into BIOS and
MEBs. These values can be loaded into the PC as a fully automated process
(remote configuration), a light-touch process (USB key), or a manual process.

10 < The Process of Provisioning www.altiris.com

The three processes differ based on how authentication is validated and trust is
established between the provisioning service and AMT on the target PC. Remote
configuration uses certificates. USB-key provisioning uses pre-shared keys, while
basic configuration uses administrator passwords:

Remote provisioning. As soon as the PC is plugged into the network, it

initiates a fully automated setup and configuration process, based on
certificates and keys. No manual intervention is required. Remote
configuration can be fully automated or remotely initiated by IT.
USB-key provisioning. A USB stick is preloaded with security credential s
and initial provisioning parameters. (When provisioning multiple PCs, the
USB setup automatically updates the USB data for each PC so that each PC‟s
security credentials are unique.) Each PC is booted with the USB stick, and
the credentials and initial BIOS / MEBx settings are automatically entered
into the system. After USB setup, as soon as the PC is plugged into the
network, Intel AMT initiates the rest of its automated configuration process.
Manual provisioning. Security credentials and provisioning parameters are
entered manually for each individual PC. This method of provisioning is
tedious, can be error-prone, and is used only as a backup measure to
provision systems.

OEM Can Pre-Provision AMT

Most OEMs can provide a service that changes the MEBx from factory mode to
setup mode before delivering the vPro PCs for deployment. The OEM does the
pre-provisioning by entering certain information into the MEBx for you. This
often requires an additional fee to the OEM. OEM pre-provisioning is most useful
when an vPro PC is delivered directly to the end user from the manufacturer.

You can provide the security keys to the OEM for integration into MEBx, or the
OEM could provide you with a list of keys they generated when doing the initial
MEBx setup. The keys must match between the Intel vPro PCs and the Altiris
console. Altiris includes an option to import and export keys for this task.

www.altiris.com The Process of Provisioning > 11

PROVISIONING FLOW
During provisioning (whether automated or manual), Intel AMT goes through
three stages: factory-default state, setup state, and configured state, as shown
in Figure 1.

Factory state:
AMT disabled
No network configuration
Setup state:
AMT enabled
Basic network configured
Admin credentials loaded
Configured state:
AMT fully configured (for example, power policies are set)
Security credentials fully loaded
Ready for remote management by the Altiris console
Once AMT is configured, the AMT-enabled PC is ready to be integrated with your
Altiris console.

Figure 1: Provisioning Stages and Steps

Stage 1: Factory-Default State

In the first stage, Intel AMT is in its factory default state:

Intel AMT security credentials and MEBx parameters are set to the values
defined by the OEM.
The MEBx admin username and password are still set to their OEM factory
defaults.

12 < The Process of Provisioning www.altiris.com

 The PC has not been provisioned. Networking and operational parameters
are still set to their OEM factory defaults.
In factory-default state, Intel AMT is ready to be set up.

In order to proceed, you must: set up the initial security credentials and
initial networking and operational parameters for communication with the Intel
Management Engine on the target PC. This can be done as a fully automated,
remote procedure (advanced configuration), or as a “light touch” (standard) or
manual (basic) procedure.

Setting up Initial Security Credentials

Security credentials (authentication data) must be made available to the PC and
to the setup and configuration service (SCS) before access to the Intel
Management Engine is granted. The security credentials allow authentication or
trust of the client to the SCS. Authentication and trust must be established
before the Intel AMT configuration profile can be loaded (in the configuration
steps). Establishing security credentials is the setup process .

Advanced configuration uses certificates to establish authentication and trust

between the SCS and Intel AMT on the target PC. In basic and standard
configuration, security credentials consist of an admin password, provisioning ID
(PID), and provisioning passphrase (PPS).

Note that the SCS can be configured to locate Intel AMT-based PCs either from
within the SCS database or via a script.

Automated Setup Process

1. The SCS is installed and its database loaded with initial data. The SCS then
waits for a request from an Intel AMT device. Basic information required by
the SCS server database includes:
SCS configuration parameters.
Profiles that define the setup parameters for the Intel vPro PCs to be
configured.
Entries identifying each Intel vPro PC to be configured, with a link to
an appropriate profile.
A list of valid TLS-PSK keys that match what is installed on the Intel
vPro PCs awaiting configuration.
2. As soon as the PC is plugged into the network, Intel AMT tries to locate the
SCS. This is done by requesting the IP address of the client (the SCS, via a
DHCP server).
3. Intel AMT performs a DNS lookup, with the default SCS server name
ProvisionServer to determine the IP address of the SCS.
4. Intel AMT sends a TCP/IP “hello” packet to the SCS.
Note:
At this stage, Intel AMT will not respond to management requests
from the Altiris console. Trust has not yet been established, and

www.altiris.com The Process of Provisioning > 13

 Intel AMT has not yet been configured for your management
environment.

5. SCS looks in the SCS database for a configuration entry matching the UUID
in the hello message. (If there is no match and no script, SCS revisits the
queued hello message periodically to see if an entry was added to the
database.) Based on the UUID in the hello message, the SCS searches the
database to locate the profile and host name to be used to setup and
configure the PC. If the SCS is configured to do so, it may execute a script
to acquire the necessary parameters from sources outside the database, and
then store the information in the database.
6. Once a configuration match is determined, SCS requests a certificate for the
PC from a Certificate Authority server. This step is optional for deployments
that do not use TLS. This step is required for deployments using TLS and
mutual authentication.
7. If Active Directory integration is enabled, the SCS defines the Intel vPro PC
as an AMT object in the Active Directory domain controller
8. The SCS sends to the Intel Management Engine the following information:
Certificates from a public Key Infrastructure (PKI).
Access Control Lists (ACLs).
Other setup parameters, as defined in the profile setup and
configuration information, specific to that PC or to a group of PCs.
As soon as security credentials are established and trust validated, Intel AMT is
ready to be configured. The SCS can now load the profile into the target PC and
complete configuration using SOAP commands.

Stage 2: Setup and Ready to Be Configured

Once Intel AMT is setup, it is ready to be configured for your networking and
operational environment. In this stage, the Intel Management Engine is ready to
be loaded with the security, networking, and operational parameters that allow
the Altiris console to communicate with Intel AMT and manage the PC through
Intel AMT capabilities.

After the provisioning profile is loaded, Intel AMT is configured for your
operational environment, and you can access the Intel AMT capabilities through
your Altiris management console.

Loading the Configuration Profile

This is typically a self-initiated, fully automated process for Intel AMT. On the
SCS side, this step is often handled by a provisioning script.

Automated Configuration Process

Once Intel AMT and the SCS have authenticated communication and
established trust, Intel AMT indicates that it is ready to receive the
configuration profile.
The SCS loads the configuration profile into MEBx.

14 < The Process of Provisioning www.altiris.com

 Completion of the process includes mapping the PC‟s UUID (the hardware -
specific identifier) to it‟s FQDN (the OS/software specific identifier) and
passing the configuration parameters that enable Intel AMT to recei ve and
respond to the management requests.
A new PID/PPS key is generated and can be used for re-provisioning the
system.
When configuration is complete, Intel AMT is enabled, integrated with the PC‟s
configuration, and available for remote management. You are then ready to
discover the Intel AMT-enabled PC and integrate the system into the
management domain.

Note that, if the PC was previously discovered and integrated as a typical, non -
vPro PC, you must use Altiris to rediscover the PC as an Intel vPro PC in order to
access Intel AMT capabilities through the Altiris console.

Stage 3: Configured and Ready for Integration

In this stage, Intel AMT is fully configured and is now ready to be integrated
with the management console. This is typically done through the use of scripts.

Integration consists of defining the OS‟s FQDN, integrating the PC with Active
Directory, and integrating the PC with the management console.

Integration with the management domain follows this general flow:

First, the FQDN in the PC‟s OS must be defined and the system must be
integrated with Active Directory. SCS uses identification information, found
in the platform UUID for each Intel vPro PC, to determine the FDQN of the
OS, which profile to use for the OS, and where to place the Intel vPro PC in
the Active Directory.
After the OS is provisioned and joined to the Active Directory, scripted
actions are performed to integrate the OS and Intel AMT with the Altiris
console. This activity enables proper management behavior of Intel AMT
capabilities with Altiris.
Note that failure to properly coordinate the FDQN between Intel AMT and the
OS does not affect normal OS management activities, but does greatly
degrade Intel AMT capabilities for PC management.
Once Intel AMT is successfully provisioning and the system integrated with the
Altiris console, you are ready to begin remotely managing the system via Intel
AMT.

Unprovisioning and Re-provisioning

Refer to the discussion on unprovisioning and re-provisioning, later in this
document, following the description of the different methods of provisioning.

www.altiris.com The Process of Provisioning > 15

PROVISIONING CONSIDERATIONS
Remember that Intel AMT supports three types of provisioning:

Advanced configuration, a one-to-many deployment process which allows

you to use Active Directory (Kerberos), Certificate Authority, digital
certificates, TLS and mutual TLS, and configure the PC for network security
protocols such as 802.1x, Cisco SDN, and Microsoft NAP.
Standard configuration, a one-to-many deployment process that uses HTTP
digest for authentication.
Basic configuration, a one-to-one deployment process which is useful for
small deployments, such as for SMB environments.
Intel AMT supports three setup processes:

Remote configuration, based on certificates and keys, and which is fully

automated.
USB-key configuration, with initial security established via preshared
keys.
Manual configuration, with initial security established via an administrator
password.
Each setup process has considerations, depending on your provisioning process
and network environment.

Note these key points about provisioning:

Once an Intel vPro PC is configured, proper authentication and authorization

are required to access the management engine.
Core tables in Altiris CMDB in reference to provisioning Intel AMT include
Inv_OOB_Capability, Inv_AeX_AC_Location, and Inv_AeX_AC_Identification.
The provisioning service and related provisioning events are very dependent
on correct DNS mappings. Dynamic DNS updates of the client FQDN are
critical to appropriately resolve the IP address. If you are changing
configurations frequently for testing purposes, or you need to troubleshoot
DNS mappings, use the /flushdns and /registerDNS options of the Microsoft
Windows ipconfig command. Use /flushdns to clear both the management
server and client DNS cache. Use /registerDNS to make sure the Intel vPro
PC is registered in DNS.

16 < The Process of Provisioning www.altiris.com

Remote Setup
Remote configuration is the preferred method of provisioning, since it allows you
to deliver the PC to the user, then provision the system as needed wit hout a
deskside visit. Remote configuration is useful for:

One-to-many provisioning for large deployments.

Remote Intel AMT provisioning for PCs that have already been deployed to
users and have been in use for some time as typical (non -Intel vPro PCs).
This option allows IT to stabilize the PC‟s OS and application build, the
network, and the management application before enabling remote -
management technology in the PC.
Reprovisioning of a PC that has been moved to a new location or which
requires reconfiguration for a different use.
Remote configuration is supported by Intel AMT version 2.0 or later.

Microsoft Certificate Authority is Required

In order to use the remote configuration feature, Microsoft Certificate Authority
must be installed on the PC. The Microsoft Certificate Authority configures the
configuration server to establish a secure connection between the configuration
server and Intel AMT in the client PC.

Remote Configuration Process

In remote configuration, the Intel Management Engine in the Intel vPro PC sends
provisioning requests over the network to SCS. SCS has vPro configuration data,
which is used to provision Intel AMT on the client. The PC‟s Intel Management
Engine and SCS establish trust and securely transfer configuration data to th e
Intel vPro PC.

Remote configuration has the following capabilities:

Remotely initiates client provisioning. The IT department controls when Intel

vPro PCs are provisioned and can re-initiate provisioning, if failure occurs.
Populates the provisioning server with Intel vPro PC configuration data and
supports automated provisioning.
Supports digital certificates for secure provisioning process using PKI -CH.

Scripting for Remote Configuration

Provisioning in remote configuration can be automated, by using scripting to
load the provision server database with the PC‟s provisioning information:

The RCT (remote configuration tool) reads the UUID and FQDN of the PC and
loads that data into the provision server database. The RCT uses the SOAP
API to send the information to the database.
The provision server script runs upon receipt of the PC‟s hello packet, and
uses WMI protocol to talk back to the PC and read the sent UUID and FQDN
data.

www.altiris.com The Process of Provisioning > 17

 Client-side scripts consist of two scripts. The first script runs on the PC after
the OS‟s FQDN is set. This script reads and sends the OS‟s FQDN and UUID
data to the intermediate database. The second script runs on the provision
server upon receipt of the PC‟s hello packet. It reads the Intel AMT
configuration data from the intermediate database and loads that
information into the provision server database.
To learn more about Remote Configuration, refer to the Altiris Out of Band
Management Solution 6.2 Administrator‟s Guide.

Delayed Provisioning and Reinitializing the Hello Pack ets

The first time an Intel vPro PC is connected to a power source and plugged into
the network, the Intel Management Engine starts sending configuration requests
(the “hello” packet) to the configuration server at short intervals. If Intel AMT is
not configured within the first 24 hours, the interval at which the hello packet is
sent is lengthened. Over time, the interval can be long enough that the process
seems to be inactive.

You can use the Altiris Agent interface to remotely restart the provisioning
request for Intel AMT. This is the delayed configuration feature in the Altiris
Agent. Delayed configuration tells Intel AMT to send hello packets for the next 6
hours, using the Altiris Agent interface. Delayed configuration is an in -band
function and requires the Windows OS to be running and the Altiris Agent to be
installed on the PC. Delayed configuration also requires DHCP.

USB-Key Setup
USB key configuration is a one-to-one method of provisioning. The administrator
password and PID/PPS keys are generated by Altiris and exported into the USB
key. The USB storage device is taken to the physical location of the Intel vPro
PC which needs to be provisioned and is used to upload provisioning information
into the system.

To use the USB setup method, the Intel Management Engine settings must be in
the factory-default state (AMT must not be set up or configured).

USB Key Requirements

USB key requirements vary from hardware vendor to vendor. The following USB
requirements work for most PCs:

Format the USB key as FAT 16. Some USB keys come formatted as FAT 32.
Do not use USB keys larger than 2 GB.
Have only the setup.bin file created during the security key export process
on the USB.
For instructions on how to provision an Intel vPro system using information
downloaded into a USB key, refer to the lab exercise in this document.

18 < The Process of Provisioning www.altiris.com

Re-Provisioning via USB Key
If the Intel Management Engine has already been accessed and the factory -
default password changed, the USB key must be prepared appropriately:

AMT must be fully unprovisioned on the PC.

PC must be rebooted after the security keys are offloaded (full
unprovisioning) in order to help reset AMT to factory defaults.
MEBx password must be reset to admin (or to the username/password pair
you specify in the database for that PC).
Security keys generated must match the administrator password (default is
admin; but this can be the username/password pair you specify in the
database for that PC).
Security keys must be successfully exported to the USB key.
The BIOS of the OEM must support USB-key provisioning.

Manual Setup
Manual provisioning is a one-to-one method of provisioning an Intel vPro PC by
typing the PID/PPS keys into the BIOS and/or MEBx. The PID/PPS keys are
generated by Altiris.

Manual provisioning requires that you go physically to the PC to enter the

provisioning parameters (initial security credentials, networking parameters, and
operational parameters) in the system.

This method is done only when other provisioning methods have not worked . It
is a time-consuming methods, and because it is manual, can introduce errors
into the setup and configuration process (with the result that provisioning is
more likely to fail). Manual provisioning should only be used as a last resort
backup measure.

For instructions on how to manually provision Intel AMT using Altiris, refer to the
Altiris Out of Band Management Solution 6.2 Administrator‟s Guide.

MEBx Parameters and Settings

The OEM sets some BIOS and MEBx parameters at the factory. This can include
setup of initial security credentials (default administrator password, PID, and
PPS).

The advantage of having PCs provisioned by the OEM is it can simplify

deployment. It eliminates the light-touch provisioning required by USB
provisioning method, and eliminates the need for manual provisioning in other
deployment scenarios. However, in environments in which security is a key
concern, security credentials for Intel AMT can be established in -house, through
the automated remote deployment process, through light-touch USB
provisioning, or manually.

OEM setup and configuration assumes that BIOS and MEBx parameters are set to
typical defaults (See table below).

www.altiris.com The Process of Provisioning > 19

Table 1. Typical Default Values for BIOS and/or MEBx Parameters

BIOS or MEBx setting Typical Default Value after Setup

Intel Management Engine Disabled Enabled1
Sleep-state power policies for Intel Off for S1-S5 On for S1-S52
Management Engine
Intel AMT 2.1 Disabled Enabled
Provisioning Mode Enterprise Enterprise
TLS Enabled Enabled
DHCP Enabled Enabled

The hardware vendor uses a factory firmware tool or an in-circuit test (ICT) tool
to generate and configure PID and PPS values into a flash device. The tool keeps
a database of values (UUID, Macs, PID, and PPS) that are burned into the flash
device.

Factory-automated setup, which loads the initial security-credentials into Intel

AMT for networking and TLS, follows several general steps:

1. The OEM enables the Intel Management Engine throughout BIOS, sets the
power policies for the management engine, and enables Intel AMT in MEBx.
2. A factory firmware image tool (or ICT tool) generates and configures PID
and PPS values into the Intel AMT persistent memory (memory not located
on the hard drive).
3. The OEM loads the PC‟s UUID and MAC address(es) into the Intel AMT
persistent memory. The OEM may also choose to customize other setup
parameters during this procedure.
4. At the end of a production run (or at appropriate intervals), the tool uploads
its database of values onto a CD/DVD-ROM or other convenient storage
device.
5. The factory ships the CD/DVD-ROM to the IT department.

1
The Intel Management Engine and Intel AMT must be enabled in order to set -
up, configure, and use Intel AMT.
2
Setting power policies for the management engine to s1-s5 allows Intel AMT to
initiate configuration in any power state, as soon as the pc is connected to
power and plugged into the network.

20 < The Process of Provisioning www.altiris.com

 6. The IT department loads the database from the CD/DVDROM into the Intel
SCS being used to configure Intel AMT.
As with advanced (fully automated) provisioning, these PCs can be delivered
directly to the user‟s desk. Because Intel AMT is already set up (by the OEM)
with appropriate keys and certificates, it is ready to go through its self -initiated,
automatic configuration. Once the user connects the PC to a power source and
plugs the system into the network, Intel AMT initiates and completes its own
configuration process.

Note that an OEM might provision multiple PCs with the same same PID/PPS
key. In this case, IT must reprovision the systems in -house to establish a unique
PID/PPS key for each PC..

For further information about the OEM provisioning process, refer to the Altiris
Out of Band Management Solution 6.2 Administrator‟s Guide.

Unprovisioning and Re-provisioning

Intel AMT can be unprovisioned or re-provisioned (see Figure 2).

Figure 2: Un-provisioning and re-provisioning Intel AMT

Re-provisioning is typically used when a PC is relocated in an enterprise or

needs enforcement of its approved configuration. During re-provisioning, a new
(or previous) configuration profile is loaded into the PC to reset or chan ge Intel
AMT parameters.

www.altiris.com The Process of Provisioning > 21

Unprovisioning Intel AMT
Unprovisioning is typically done when the PC is reconfigured for use in a
different environment, or is decommissioned from the enterprise.

You can partially unprovision the PC. A partial unprovisioning returns

Intel AMT to setup state. Partial unprovisioning erases the configuration
profile, but retains the security credentials established (PID and PPS) after
Intel AMT was fully provisioned. These credentials are a unique PID/PPS
security key generated as a result of the original provisioning process. With
those security credentials, Intel AMT and the SCS can still authenticate
communication and establish trust. This means Intel AMT can self-initiate
remote configuration again as soon as the PC is plugged back into the
network.
You can fully unprovision the PC. This erases both the configuration
profile and the security credentials. A full unprovisioning returns Intel AMT
to factory default state. A full unprovisioning is typically done in order to:
Remove the configuration profile.
Remap the FQDN and UUID
Prepare the system for permanent removal from the enterprise

Re-provisioning Intel AMT

You can re-provisiong an Intel vPro PC either by using the enterprise remote
configuration (fully automated) process, or by physically accessing the PC and
re-entering the security credentials and other settings.

Re-provisioning using remote setup: Once the PC is fully unprovisioned,

you can remotely re-establish security credentials and MEBx settings using
the enterprise remote-setup feature, with security established via
certificates and keys (zero touch process).
Note
Agent-initiated remote configuration systems will wait until an
agent requests that provisioning begin before it will allow the Intel
vPro PC to reinitiate the hello packets.

Re-provisioning using manual or USB-key provisioning: Once the PC is

fully unprovisioned, you must physically access the PC to re-enter security
credentials and initial MEBx settings.
As soon as the initial security credentials and MEB x settings are established,
Intel AMT can then continue with its self-initiated, fully automated, remote
configuration as usual.

22 < The Process of Provisioning www.altiris.com

DEPENDENCIES FOR PROVISIONING
This discussion explains:

Dependencies and criteria required for successful provisioning

Optimal conditions for provisioning in an Altiris managed environment.

Criteria Needed for Successful Provisioning

The criteria needed to successfully provision Intel AMT are:

Authenticate the Intel vPro firmware to the provisioning service.

Authentication must be done out of band. This establishes trust between the
provisioning service and the PC being provisioned.
Define a configuration profile for the Intel vPro PC. The profile includes
both required and optional settings for network, security, and operational
parameters in the client‟s management firmware, or MEBx.
Map unique identifiers. There are two key unique identifiers for every PC.
The first is the universally unique identifier (UUID), which is assigned to
every computer system board at time of manufacturing. The second is the
fully qualified domain name (FQDN), which is used to locate the PC using
DNS and allow provisioning and remote management. The FQDN can be
changed, but it cannot be duplicated within any given network environment.
The UUID and FQDN are also used in environments that take advantage of
TLS, Kerberos, and other advanced provisioning options.

Typically, mapping of the UUID and FQDN is automated as part of the

provisioning script that loads the provisioning profile. You can manually
enter the FQDN and AD OU, but this is a tedious and more likely to introduce
errors in the provisioning process.

The PC‟s FQDN must map accurately to the PC‟s UUID in order to produce a
final handshake, which confirms the provisioning process.

Optimal Conditions for Provisioning

In an Altiris managed environment, the optimal conditions for provisioning the
Intel vPro technology include:

The OS’s FQDN has been established. This may include integrating the PC
into an enterprise directory infrastructure.
A dynamic DNS record for the PC has been created. Once provisioning
is successfully completed, subsequent PC management requests work best
when the PC‟s IP address is resolved via DNS.
The Altiris Notification Server Client agent is installed and has
registered with the associated Altiris Notification Server which has the role
of ProvisionServer in the context of Intel vPro configuration.

www.altiris.com The Process of Provisioning > 23

 The Altiris OOB Discovery has been enabled, instructing the Altiris agent
to query the local PC for OOBM capabilities
Resource synchronization within the Altiris provisioning interface has
been enabled with a default provisioning profile.

Infrastructure Dependencies for Provisioning

The infrastructure for provisioning must have certain elements:

DNS
IP Address (DHCP)
SCS, including integration with the provisioning database
Management console (Altiris console)
The infrastructure for provisioning can also include optional elements to improve
security or support wireless devices:

Certificate Authority (CA)

Active Directory (AD)
802.1X security
Wireless profile (See the wireless module for more information)

DHCP/DNS/IP (Required)
The network and management infrastructure must support DHCP services so that
the vPro PC can be properly registered within the enterprise. DHCP allows Intel
AMT to receive the proper parameters for DNS, including the DNS suffix, which
is used in the provisioning process.

DHCP Server

When an vPro PC enters setup mode, the default for IP addressing is for AMT to
obtain an IP address from a DHCP server. The Intel Management Engine also
uses the DHCP server to help dynamically update the DNS server with its
network address information.

The DHCP server registers the FQDN with DNS, in order to generate the PKI
(public key infrastructure) certificate. Standard DHCP opt ion 81 is used to
register the vPro PCs in DNS. The DHCP server must support Option 81 to
register network address information into the DNS server on behalf of the ME.
The DNS is queried by the configuration server in order to compare the value of
that registration information against the received certificate. This enables the
server to accept TLS encryption.

DNS Server

The DNS Server is used by network devices such as the Altiris console to locate
address information for vPro PCs in order to contact the devices and manage
them. The vPro PCs may also use the DNS server during the configuration phase
to locate the provision server and request the information needed to configure
AMT in that environment.
24 < The Process of Provisioning www.altiris.com
Specifically, DNS is used to supply the host name for the vPro PC in order to
resolve the IP address and resolve the setup and configuration server IP address
during provisioning. Each host name and IP address for the Intel AMT -enabled
PC is automatically registered in the DNS by the DHCP. During the initial
activation process, the static IP name is resolved and registered in the DNS and
mapped to the SCS IP address.

If the provision server IP address was not manually entered during the Intel AMT
MEBx setup process, then MEBx makes a DNS request for the name
"ProvisionServer." If the requested name cannot be resolved by the DNS server,
then a second request is made for "ProvisionServer.DomainName." Intel AMT
expects to find the IP address of the provision server in this way, or by having it
set explicitly in the MEBx configuration process.

You must manually register the “provision server” entry into the DNS server.

During Intel AMT provisioning, scripts utilizing ProvisionServerDB are executed

on the client OS. These scripts link the Intel AMT UUID with the clien t OS‟s host
name and FQDN.

Firewall/Router Ports
Intel AMT requires certain ports to be “open” in order to allow management
traffic to go through them. The Intel AMT ports are 16992 (non -TLS), 16993
(TLS), 16994 (non-TLS redirection), 16995 (TLS redirection) – these are IANA-
assigned ports which Intel purchased. They cannot be changed. Port 9971 is
used in enterprise mode to listen for hello packets. This port is configurable at
both the SCS console and the Intel AMT client.

Database Server Integration

When you set up the Altiris console a new database is created that corresponds
with the SCS. The Altiris connection to this database can be secured or
unsecured. After the database is integrated with the SCS, make sure the proper
access method is selected.

SCS (Required)
SCS is a windows-style web service, accessed via a web interface. It is used to
perform steps necessary for setting up Intel AMT and configuring it for your
networking and operational environment. SCS also manages the configuration of
the Intel Management Engine. SCS stores settings and option choices for
certificates and security settings, while also verifying trust to the Intel
Management Engine. SCS acts as a proxy to Active Directory and the Certificate
Authorities.

The SCS server is required for enterprise provisioning and for remote
configuration (fully automated provisioning) of Intel AMT.

SCS also performs maintenance tasks, including reissuing digital certificates

before they expire, updating passwords, updating random number generato r
seeds, and synchronizing the system clock.

SCS also facilitate life cycle management:

www.altiris.com The Process of Provisioning > 25

 Generates a dataset of PID/PPS/password data for export to a USB key
Imports TLS-PSK lists from an OEM.
Handles certificate expirations, renewals, and delivery of certificate
revocation lists.
Checks logs.
Performs ad-hoc configuration operations
Performs unprovisioning and re-provisioning.

SCS and Active Directory (Kerberos)

If Kerberos authentication is enabled in OOB management, and the AD schema

has been extended, SCS registers Intel AMT in AD and in its own secure
database.

When Kerberos authentication is not activated, SCS is used for various

maintenance functions, such as updating passwords, and ACLs, and keeping logs
of all performed transactions.

Key Elements of SCS

The major elements of SCS are:

Windows service (the SCS main service)

Secure database
SOAP API
Console application (the Intel SCS console)
SCS requires a manual DNS registration entry that references it as
“ProvisionServer” within the appropriate DNS hierarchy. Manual registration is
done so that the Intel Management Engine can use the name to locate SCS
during the Intel AMT self-initiation phase of provisioning.

SCS keeps profiles, keys, and passwords securely within the SQL server
database. Requests for activation by the Intel AMT hosts are made to SCS, which
applies policies to the host and delivers certificates and/or passwords from the
certificate authority. SCS also accepts commands from Altiris. SCS provides
appropriate policy information in the form of ACLs, passwords (if not integrated
with AD), and appropriate meta-data to describe the Intel AMT host to Altiris, so
the Intel AMT-enabled PC can be managed.

Adding Device Information to the SCS Database

There are three ways to add device information to the SCS database:

Manually: The UUID and other parameters are entered into the new Intel
AMT configuration parameters.
SOAP API: AddServiceNewAMTProperties adds an entry to the SCS
database. An external management console can acquire the PC‟s information
using scripts, its own database, or a local agent and pass the information to

26 < The Process of Provisioning www.altiris.com

 SCS either before or after the Intel Management Engine starts sending its
hello packet.
Scripting: This method acquires configuration information using a script, if
the required parameters are not in the new Intel AMT database table. SCS
runs a script that retrieves the parameters from an external source.
Scripting is the recommended enterprise solution for provision ing a PC for use
with Intel AMT. The script is run on the Intel vPro PC after the system has joined
the appropriate AD domain. The script is executed to load an interim database
with the Intel AMT UUID and FQDN. The script can be executed manually, as
part of the AD logon script, or delivered as part of the standard software
delivery mechanism (see Figure 3).

Figure 3: Scripting option for provisioning

Certificate Authority (Optional)

Certificates offer several benefits: They enable fully automated remote
configuration, they support 802.1x security, they secu re communications to the
provisioning service (SCS), and they enable TLS to secure management traffic to
the Intel AMT capabilities on the PC.

A certificate binds information about an entity (such as the entity‟s name and
address) with the entity‟s public key. The binding is done by a certificate
authority (CA), a trusted third party.

For example, PKI-CH security is implemented using digital certificates and

mutual authentication. The PC‟s Intel Management Engine generates a self -
signed certificate and has a list of certificate hashes for trusted certificate
authorities. The provision server has the RCFG certificates signed by trusted CA,
and certificates for CA signing chain. During provisioning, the PC‟s Intel
Management Engine and provision server exchang e certificates and one-time
password (OTP) to establish trust and encrypt configuration data transferred to
the client. When PKI-CH is implemented, it allows the PID/PPS to be loaded into
the PC, without an IT technician physically accessing the machine.

Certificate hashes are small reproducible numbers computed by performing a

hashing function on a digital certificate. They are used because they are
typically 1KB in size or greater. 20 KB certificate hashes 20 bytes in size are
suited to the Intel Management Engine‟s storage capacity.

www.altiris.com The Process of Provisioning > 27

Certificate hashes are loaded into PCs by either being burned into the
management engine by the OEM. Hashes designed into the hardware/firmware of
the Intel vPro PC‟s management engine include:

VeriSign Class Primary CA-G1

VeriSign Class 3 Primary CA-G#-
Go Daddy Class 2 CA
Como AAA CA
Starfield Class 2 CA
CA integration is a complicated subject. To learn more about certificates and
how to prepare a certificate template and request, refer to the Altiris Out of
Band Management Solution 6.2 Administrator‟s Guide.

Remote Configuration Certificates

Remote configuration uses different certificates for different security purposes:

Server Authentication Certificates for server authentication and PKI-CH

delivery
Client Authentication Certificates, which authenticates remote configuration
certificates
Wildcard Certificates, which can support multiple domains
Default HP Certificate Hashes, which can be used in some circumstances to
simplify certificate generation

Server Authentication Certificates

The X.509 digital certificate is used in remote configuration for server

authentication and PKI-CH delivery. The maximum encryption key size for these
certificates is 2048 bits.

Client Authentication Certificates

The client authenticates remote configuration certificates using one of two

methods, depending on the Intel AMT version:

Un-secure DNS (Intel AMT 2.2 and 2.6) checks the server authentication
certificate and the OU or object ID (OID) information set for Intel AMT. It also
checks that the domain name of the RCFG certificate CN (Intel client setup
certificate) field equals the domain name received from the DHCP server and
that the certificate is traceable to trusted root certificate hashes.

Secure DNS (Intel AMT 3.0) checks the server authentication certificate and the
OU or OID information set for Intel AMT. It also checks that the domain name of
the RCFG certificate CN field equals the MEBx PKI Domain or RCFG certificate CN
field equals the MEBX SCS FQDN option. The certificate is also trac ed to
determine if it originates from a trusted root certificate hash.

28 < The Process of Provisioning www.altiris.com

Wildcard Certificates

Another type of Remote Configuration certificate is the Wildcard certificates,

which are available in Intel AMT 2.6 and 3.2 with the capability of supporting
multiple DNS domains. The PC authenticates wildcard certificates by checking
the server authentication certificate and checking that OU and OID information
is set for Intel AMT. It also checks if the domain name of the RCFG certificate CN
field equals overlapping fields of the domain name received from the DHCP
server. The certificate is also traced to verify that it comes from a trusted root
certificate has.

Default HP Certificate Hashes

The HP Intel Centrino PCs with vPro technology come with five default cer tificate
hashes. The present interface/setup for these units does not allow these
certificate hashes to be amended. If a certificate can be generated internally and
applied to installed hashes without altering the installed hashes, then use those
certificates. If not, you will have to purchase an external certificate. The OID
can be used to create certificates for the remote configuration certificate – yet it
may be easier to use an Intel client setup certificate (CN)

Each ProvisionServer instance needs a remote configuration provisioning

certificate. The certificate is issued for a specific DNS context – which the PCs
need to match via DHCP option 15.

Active Directory (Optional)

Iintegration with Active Directory allows the Altiris console to use Kerberos
authentication to securely manage Intel AMT credentials. Kerberos simplifies
single logon and administration.

Active Directory (AD) offers several key benefits: Kerberos authentication,

support for 802.1x security, centralized account management, a single user
account, and a single account database. Note that AD integration is required for
802.1x security features.

One issue with AD is that AD integration requires AD schema extensions and a

separate organizational unit to contain Intel ME objects.

Support for Kerberos Authentication and 802.1x

Kerberos authentication and/or 802.1x security is enabled by the data, which is

stored in the Active directory object id system. The AD extension is needed for
authentication of the client in order to connect the client to the network.

Active Directory Provisioning

In the context of provisioning, SCS is a domain-local security group created in

each AD domain which contains managed Intel AMT-enabled PCs. The AD is
necessary for configuring the Certificate authority to secure the environment. By
extending the AD schema, the SCS console can group machines and provide
security rights to AD groups. AD schema extensions allow Intel AMT -enabled PC
to be members of the AD.

www.altiris.com The Process of Provisioning > 29

SCS and Active Directory Tasks and Permissions

When using AD, interaction between Management Console applications and the
Intel AMT API is authenticated with the Integrated Windows Authentication mode
via the API authentication mechanisms.

The AD service is used to authenticate between the Altiris console and Intel vPro
PCs. To enable use of AD, you must create instances of Intel-Management-
Engine, which is the special class added to the AD schema each time the SCS
completes setup and configuration of an Intel AMT device. These instances are
called “AMT objects.”

Best practices also require that you:

Periodically change the password of these objects automatically.

Delete an AMT object when it is no longer needed.
To enable Intel AMT to use of AD, the following permissions must be granted to
user accounts associated with the SCS (these are the user accounts entered
when the SCS is started):

“Create/Delete Intel-Management-Engine objects” permission in the relevant

Organization Unit (OU) where objects are created.
Full Control over Intel-Management-Engine objects
One way to do this is by using the “Delegate Control Wizard of the Active
Directory Users and Computers” MMC.

Extending the Active Directory Schema

Active Directory schema extensions are not required for AMT OOB management,
but Microsoft recommends applying the schema extensions for other nonrelated
vPro capabilities. Refer to Microsoft documentation for t hese additional
capabilities. However, the Active Directory must have two items configured for
Altiris to manage AMT-enabled PCs.

Create the Active Directory OU container in the domain for each AMT-
enabled PC.
Configure security permissions on the container for Altiris to generate
an object for each AMT device. Altiris will publish an AMT object into a
specific OU for each vPro PC that is provisioned by the OOB Management
Service Point. This is a different object than the computer object that hosts
the computer account in the domain.
The Intel SCS installation contains an .LDF AD schema extension definition and a
script that is used to extend the Active Directory schema for Intel AMT. The AD
administrator must run the script and schema definition (provided with SCS) to
extend the AD schema for Intel AMT.

The following schemas are used to extend the AD schema:

BuildSchema.VBS – script run by the administrator on the AD to extend

the schema.

30 < The Process of Provisioning www.altiris.com

 CheckSchemaExists.VBS – script run on the AD to validate the schema has
been extended in support of Intel AMT.
ExportSchema.VBS – script to export AD schema to an .ldf file.
IntelAMT.LDF – schema definition file called by BuildSchema.vbs that adds
the necessary classes and objects to the AD.
Ldf.log – log file that is generated after the schema extension files have
executed.

Integrating SCS with Active Directory

Intel SCS integrates the Intel AMT device with AD by creating a directory entry
based on a new class: Intel-Management-Engine. The SCS installation includes
scripts used by the administrator to:

Extend the AD schema to support the Intel-Management-Engine class. The

new class has these attributes:
Intel-Management-Engine-Version (Received in the „Hello‟ message
from the Intel vPro PC)
Intel-Management-Engine-Host-PC (a link to the platform PC object
created when the host joins the domain)
Intel-Management-Engine-Platform-UUID (Received in the „Hello‟
message)
Intel-Management-Engine-Host-PC-BL (added to the PC object class as
a back line to an Intel AMT object)
“Intel-Management-Engine-Host-PC-BL” (added to the top PC object
class)
Populate the Intel-Management-Engine attributes.
During setup, Intel SCS:

Creates an Active Directory object representing the Intel AMT device: (Note:
This requires an SCS service account to have appropriate permissions to the
AMT Object Organizational Unit.)
Creates an attribute for connecting the AD computer object to the AMT
object.
For more information about AD, refer to the security discussion.

Active Directory Hotfixes

For proper operation, Microsoft hotfixes 899900 and 908209 are required for
Kerberos to work with Intel AMT. The fixes can be downloaded from the
Microsoft website and need to applied to all servers and consoles that will be
communicating with Intel AMT devices. Windows Server 2003 Service Pack 2
(SP2) includes these fixes and do not require them to be applied. Windows
Server XP requires the hotfixes. Investigation into the status of these with Vista
remains open at date of printing.

www.altiris.com The Process of Provisioning > 31

SECURITY
Because the Intel AMT capabilities offer powerful ways to manage the PC out of
band, they require certain security measures.

Intel vPro technology uses a variety of security methodologies and technologies

to protect the provisioning process, secure the out-of-band communication
channel, protect access to Intel AMT capabilities, and authenticate the
management console.

Intel vPro technology also allows you to choose the operati onal security level
appropriate for your client environment. Choosing the right security level for the
environment is important. Too much security can leave customers confused and
frustrated. Insufficient security can expose customer data or open vulnerabilities
to viruses, worms, and other threats.

Key Questions to Consider

Before deciding what security measures to establish or enable for Intel AMT,
answer these questions:

Does the customer currently have Microsoft Active Directory

deployed? AD is required for Kerberos authentication and Microsoft
enterprise certificate authority.
Does the customer’s security policy require encryption of syst ems
management communications? Encryption requires TLS.
Do you need to ensure authenticated identity of the notificat ion
server when connecting to Intel AMT? This would require TLS server
authentication.
Does the server need to verify the authenticity of the client while
connecting to Intel AMT? This requires TLS mutual authentication.
Is an enterprise Microsoft certificate authority deployed in the
environment? This is not required if not using TLS or 802.1x.
Does the customer currently use a RADIUS Server? If so, are 802.1x
profiles used on the wired / wireless network?

Security during Provisioning

Security during provisioning consists of authentication and establishing trust
between the Intel Management Engine and the SCS.

During provisioning, the Intel vPro PC establishes a secure communication

channel to the Intel Setup and Configuration Service (SCS) via certificates
and/or a public key.

Trust for communication with the SCS is established via the Intel Embedded
Trust Agent, Intel Trusted Execution Technology (Intel TXT), and other security
methodologies and technologies built into Intel vPro technology. These security
technologies help make sure that passwords, access control lists, and other
sensitive data remain protected during remote provisioning.
32 < The Process of Provisioning www.altiris.com
Security in Enterprise Mode vs. SMB Mode
Security is one of the key differences between using Intel vPro in SMB mode
versus enterprise mode.

Enterprise mode requires TLS and supports Active Directory (Kerberos) , as

well as other advanced security methodologies and technologies.
SMB mode does not support TLS or Active Directory. SMB mode relies on an
administrator password and HTTP to prevent unauthorized access to the
Intel AMT capabilities.

Security Methodologies and Technologies

Intel vPro technology includes or supports a variety of security methodologies
and technologies:

Admin username and passwords

PID-PPS security key pairs help ensure a secure connection between Intel
AMT and the provisioning server. After Intel AMT is configured, these keys are
no longer used and are deleted from the Intel SCS database.

TLS encryption
Mutual authentication (MTLS)
HTTP digest authentication
Active Directory (Kerberos)
Pseudo-random number generator in the firmware of the Intel AMT system,
which generates high-quality session keys for secure communication.

Only digitally signed firmware images (signed by Intel) are permitted to load
and execute.

Tamper-resistant and access-controlled storage of critical management

data, via a nonvolatile data store in the Intel AMT hardware.

Access control lists (ACLs) for Intel AMT realms and other management
functions.

The rest of this discussion provides more description for some of the security
methodologies and technologies you might need or want to set up or customize.

Admin Username and Password

Basic security for access to Intel AMT features can be established by using an
admin username and password. A digest user is not linked to the AD or LDAP
user account and is essentially an additional username and pas sword for the
user to remember. Security via an admin password is typically used in SMB
environments, not in enterprise environments.

An admin password allows users to access and change Intel AMT features, as
well as set some security settings. To minimize vulnerability, only strong
passwords are accepted. Strong passwords must be at least 8 characters long

www.altiris.com The Process of Provisioning > 33

and contain at least one numerical value, one nonalphanumeric character, and a
combination of upper and lower case letters. For example: P@ssw0rd.

You can also change or randomize the default admin password that allows access
to Intel AMT features. If you randomize the password, authenticating to Intel
AMT with the default admin account will only be possible through the notification
server console.

In Altiris, you can enable password randomization of the default admin user on
the General tab of each provisioning profile.

TLS Encryption
Transport Layer Security (TLS) encrypts communication in order to secure traffic
to/from various elements of a network. TLS helps prevent snooping, altering,
and forged impersonation. TLS offers several benefits:

Greater security
Ensured authentic communication between Intel AMT and the server
Data integrity
Data theft prevention

TLS Requirements

TLS requires that Intel AMT have a self-signed certificate that is traceable to a
certificate authority. To use TLS for Intel vPro PCs in an Altiris environment, you
must install a Microsoft Windows 2003 Certificate Authority in the environment
and configure it to issue certificates automatically. The CA must be accessible
and associated to the Altiris provisioning service.

How It Works

TLS involves three general phases:

Peer negotiation
Public key exchange with certificate-based authentication (TLS-PSK)
Symmetric code encryption
TLS places a server authentication certificate on the Intel vPro PC during the
provisioning process. The certificate is used to authenticate an endpoint of a
network communication connection, which ensures trust between the endpoints.
The data passed through the connection is encrypted by the certificate, which
prevents modification of that data.

During provisioning of an Intel vPro PC, TLS encryption secures communication

over the network between Intel AMT and the provision server (and later, to the
management console). The TLS server authentication certificate is matched to
the TLS root, which validates the TLS certificate.

Because of the way handshaking occurs during authentication, the PC actually

acts as the server and the Altiris console acts as client in the TLS security
model.

34 < The Process of Provisioning www.altiris.com

Once Intel AMT is provisioned on the target PC, subsequent authenticated
sessions to Intel AMT on the PC are encrypted using TLS.

TLS Encryption and Mutual Authentication

TLS typically verifies and authenticates only the server , which means that Intel
AMT can be sure of the server's authenticity. Authentication is established by
TLS pre-shared key (TLS-PSK). The endpoint (the Intel AMT-enabled PC)
remains unauthenticated.

TLS can also optionally authenticate the client-side of the communication tunnel.
This is called mutual authentication. Mutual authentication requires that Intel
AMT have a self-signed certificate that is traceable to a certificate authority.

Note
Do not confuse the TLS security keys that are part of Altiris
interaction with the vPro PC, with the TLS-PSK keys that are used
during setup and configuration. These are separate keys. On ce the
TLS-PSK keys are used during the setup and configuration stage,
they are not used again unless an vPro PC is re-provisioned. The
other TLS keys are used for remote-management communications
from Altiris to the Intel vPro PC.

For additional information about TLS, see the Altiris OOBM solution reference
guide, page 59.

TLS, Altiris, and Redirection Traffic

With PCs provisioned for TLS, a majority of the Intel AMT management traffic
functions will be handled normally via the Altiris console without further
changes. The one exception is redirection traffic. Redirection traffic includes
integrated device electronics redirection (IDE-R), which is used to remote boot
an Intel vPro PC, and serial-over-LAN (SOL), which is used for console
redirection of an Intel vPro PC. IDE-R and SOL are not based on HTTP protocols,
thus the default TLS negotiations within HTTP are not available. The Altiris Real-
Time Console Infrastructure will need to know the certificate path, which is
defined via a Privacy Enhanced Mail-format (PEM) file.

For information about configuring Altiris for redirection sessions when TLS is
enabled, refer to the provisioning guide: Intel® vPro™ Standard and Advanced
Provisioning in an Altiris Environment.

Mutual Authentication
In mutual authentication, the client and server authenticate each other by
requesting certificates from each other, so both client and server can be assured
of the other's identity. Mutual authentication lets you establish greater security
for network communications. Mutual authentication requires public key
infrastructure (PKI) deployment or TLS-PKI. Remote configuration (fully
automated setup and configuration of Intel AMT) requires mutual authentication.

Mutual authentication in an Altiris managed environment requires that a list of

trusted root certificates be installed in the certificate store of the provision
server (in other words, imported into the database). The provisioning server

www.altiris.com The Process of Provisioning > 35

must have an Intel® Client Setup Certificate, and the PC must have a self -
signed certificate. Both certificates must be traceable to a certificate authority.
The Intel AMT-based PC has a series of certificate hashes which identify
approved certificate authorities.

Active Directory (Kerberos Authentication)

AD service is optional. It is used to provide Kerberos authentication between the
Altiris Agent and Intel AMT. Kerberos authentication lets you use the existing AD
users and groups when configuring the ACLs. Kerberos offers several benefits:

It provides a standards based authentication protocol

Integrated authentication to Intel AMT devices without maintaining separate
usernames and passwords
Strong authentication through the use of secret-key cryptology
Single login per session and credentials passed between resources.
Intel AMT devices defined and managed in the Active Directory.
Kerberos requires Microsoft Active Directory. Integration with Active Directory
requires extension of the Active Directory schema to support the Intel -
Management-Engine class.

Enabling AD follows these general steps:

Create instances of Intel Management Engine, which is the special class added to
the Active Directory schema each time the SCS completes setup and
configuration of Intel AMT capabilities. These instances are called „AMT objects.‟

Periodically change the password of these objects automatically.

Delete an AMT Object when it is no longer needed.

802.1X authentication profiles

802.1x is typically used for increased security in a Wi -Fi environment. 802.1x
can also be used on a wired network.

802.1x authentication requires a RADIUS server like Microsoft ISA server.

The supported protocols are EAP-TLS, EAP-TTLS (MSCHAPv2), EAP-PEAP,
EAP-(GTC), EAP-FAST (MSCHAPv2), EAP-FAST (GTC).

Access Control Lists (ACLs)

Not all users require access to all features of Intel AMT in order to do their jobs.
In enterprise mode, you can use access control lists to specify which users will
have permission to access which Intel AMT features. You can grant / restrict
management permissions to four categories of features:

Hardware Information
Event Log
Remote Control
Update Firmware

36 < The Process of Provisioning www.altiris.com

An ACL entry has a user ID and a list of realms to which a user has access. ACL
access is required to use the functionality within a realm. The ACL(s) is part of
the configuration profile, which is loaded into the system during provisioning.

There are two kinds of ACL entries: Kerberos and non-Kerberos. Kerberos
entries have an Active Directory SID to identify a user or groups of users. Non -
Kerberos entries have a username and password for user identification.

Remember these points when establishing access control lists:

Identify which users really requires access to Intel AMT

Determine which users or groups will need access to Intel AMT. Typical users
include administrators, systems analysts, systems engineers and support
technicians. If the customer will integrate with AD, work with the customer
to determine which AD groups these users are a member of. If the customer
does not plan to integrate with AD, digest users will either be created for
each user or a shared digest user will be created for users with a common
role.
Identify the specific tools or realms to which users need access
Identify the Intel AMT capabilities and level of access each user group or
business unit requires in order to support their job function. Best practices
recommend that you enable access to only those Intel AMT features that a
user requires.

There are several realms to choose from when configuring the ACLs , and
realms are often vague in their descriptions as to exactly what features they
enable. For a definition of each realm and additional information on planning
the ACLs, review the following article on juice.altiris.com:
http://juice.altiris.com/article/2040/passwords-permissions-and-access-
control.
Kerberos authentication
If using Kerberos authentication, determine whether the Intel AMT user(s)
are members of an Active Directory group
Determine whether you need a consistent approach throughout the
organization
If the ACL for all users or groups will remain consistent throughout the
organization, you will probably be able to create a single provisioning
profile. Managing multiple profiles can be difficult, so whenever possible,
consolidate profiles.
If a user or group will require more or less access to realms on certain PCs, you
will have to create alternate provisioning profiles for those systems.

Securing the Management Console

SCS console security is managed by the Intel SCS database. An admin using the
Altiris console is not necessarily an admin for the Altiris OOBM solution. The
permissions and access for various types of admins are controlled by the "Users"
attribute under Configuration Service Settings. At installation, a default entry of
the Altiris administrator is added. You might have to change the Users service

www.altiris.com The Process of Provisioning > 37

settings to customize and grant/restrict privileges for specific users (see Figure
4).

Figure 4: Select Users

Admin users of the provisioning console can be selected from the local system or
from Windows domain user lists. Each user can be assigned one of four roles:

Enterprise Administrator -- full control of configuration and setting,

including adding or changing Users list and settings.
Administrator -- full control of configuration and setting, yet unable to
change Users list and settings.
Operator -- able to create or modify Profiles, review logs, and related
operations. Not able to change properties of Intel AMT settings, general
settings (worker threads, polling interval, etc).
Log Viewer -- able to review log messages only.
Altiris console permissions can also be used to remove read access from the
provisioning console objects and hide certain functions from specific users if
necessary.

Your network policies and operational modes will determine how you set up your
user lists and their associated roles. From a console and provisioning security
perspective, it may be best to give only a few (perhaps only one) users full
enterprise administrator access. The majority of users requiring access might be
only operators and log viewers.

38 < The Process of Provisioning www.altiris.com

SAMPLE INTEGRATION PROCEDURES
The procedures in the rest of this document will help you understand how to
setup, configure, and integrate and Intel vPro PC into your management domain .

Procedure 1:
Provisioning Using a USB Key
1. In the Altiris Console 6.5, select View > Solutions > Out of Band
Management.
2. In the left pane, select Out of Band Management > Configuration >
Provisioning > Configuration Service Settings (see Figure 5).

Figure 5: General service settings

3. Set the General provisioning settings to enable Remote Configuration, with

logging set to Debug Verbose.
4. Apply the setting.
5. Navigate to Out of Band Management > Configuration > Provisioning >
Configuration Service Settings > Security Keys.

6. In the right pane, select the Export Security Keys icon . The Export
Security Keys to USB Key window will then be displayed From this
interface an administrator can determine the number of keys to generate,
the old and new MEBx password, and download the resulting setup.bin file
to a preferred location.

www.altiris.com The Process of Provisioning > 39

 7. If there are security keys that are already generated and have not been
used, select All, select Generate, and then select Download USB Key. If
there are no security keys generated, select Generate keys before export,
and choose the numbers of keys to export as well as entering the default
and current Intel Management Engine Password.
8. Select Generate and Download US key file (see Figure 6).

Figure 6: Generate and download USB key file

40 < The Process of Provisioning www.altiris.com

9. In the File Download window, select Save and save the setup.bin file in the
USB key (see Figure 7).

Figure 7: Select Save

10. Go to the physical location of the Intel vPro PC, connect the cables
(including network cable), a monitor, and a keyboard.
11. Insert the USB key and power-up or restart the PC.
12. Follow the on-screen instructions to setup the PC. Note: The specific PID-
PPS key pair used to configure the PC is marked on the USB key as used, so
the key can not be used again.
13. Restart the PC.
The PC will begin sending hello packets to the notification server PC, and the
SCS will send the appropriate provisioning profile back to the Intel vPro PC.

www.altiris.com The Process of Provisioning > 41

Procedure 2:
Remote Configuration
This lab shows how to enable remote configuration, create a configuration
profile, and initiate fully automated remote configuration of Intel AMT. Setting
up the infrastructure and PC for remote configuration follows five general steps:

Step 1: Enable remote configuration

Step 2: Create a configuration profile
Step 3: Synchronize resources
Step 4: Prepare the Altiris Real-Time Console Infrastructure (RTCI) profile
Step 5: Install the remote configuration certificate
Once the infrastructure is ready for remote configuration, you can deploy and
configure Intel vPro PCs in a fully automated, remote process.

Step 1: Enable Remote Configuration

1. To access the provisioning console, select ViewSolutionsOut of Band
Management.
2. Check the check box to enable OOB discovery, and then select Apply (see
Figure 8). You should enable OOB discovery so that the Altiris co nsole can
take advantage of the AMT OOB feature and read the system's UUID even
when PC power is off.

Figure 8: Select Enable > Apply

3. In the left navigation pane, under Configuration Service Settings, select

General.
4. In the right pane, under General, check the Allow Remote Configuration box.
5. Under Log level make sure Debug verbose is selected (see Figure 9).

42 < The Process of Provisioning www.altiris.com

 Allow
Remote
Configura
tion
Set
logging to
verbose

Figure 9: Enable Remote configuration

Step 2: Create a Configuration Profile

Configuration profiles determine what settings the target Intel vPro PC will
receive. You can define multiple profiles and settings. This lab shows how to
create a standard profile.

1. Select Provision Profiles followed by the + sign to create a new profile.

The Provision Profiles determine what settings the targ et Intel vPro PC will
receive. This procedure defines only a basic profile, but you can define
multiple profiles and settings as appropriate for your managed environment.
2. Set Administrator credentials in the Administrator credentials area by
selecting Manual, and entering a strong password (for example P@ssw0rd.
3. Enter a profile name and brief description of the profile (see Figure 10).

Set to
Manual

Figure
Set Profile Set to
[numb
name and P@ssw
er]
description ord a. C
a
p
t
i
o
n

www.altiris.com The Process of Provisioning > e

43
x
p
l
a
 Figure 10: Enter provision profile information

4. Select the ACL tab.

5. Using the Add button, create a new ACL entry as shown in Figure 11.
Set the User name to MF08.
Digest User MF08 with
Set the password to P@ssw0rd.
password of P@ssw0rd
Set access permissions for realms to Any.
Figure [number]
Caption explaining the
figure or graphi

c. “This text can be

used forSet to ANY allowing
analyst
quotes local
or foror remote access
to realms
figure references.
The formatting
style is Sidebar
Only user Quote. The frame
specific should always be
realms 0.5” from the
page.
d. “The text is
anchored to the
main body. If you
select the frame,
you will
Figure 11: ACL notice
Profile
the anchor icon.
You can
6. Save the ACL and the Profile by selecting theeasily
OK button in each dialog.
drag the icon to
Step 3: Synchronize Resources the appropriate
main body text
In addition, the Resource Synchronization settings determine the replication
area. If you
interval between the Intel AMT database into the Altiris CMDB. Determining a
delete the main
default profile during the provisioning process also helps to automate the
body text, this
provisioning of future PCs.
will also delete
the Sidebar
Follow these steps to synchronize resources:
frame.”
1. Navigate to the Intel® AMT systems located under Provisioning.
—Sidebar Title
2. Select Resource Synchronization.
3. Select Enable to enable resource synchronization, with the Intel AMT 2.0
profile set the profile previously created. Enable the remaining settings as
shown in Figure 12. e.
4. Check the checkbox to select Use DNS resolution to find FQDN when
assigning profiles.

44 < The Process of Provisioning www.altiris.com

Figure [number]
Caption explaining the
5. Check the checkbox to remove duplicate Intel® AMT resources from the
notification server.
6. Under Enable Schedule, select Half-Hour.
7. Select Apply to apply the changes.

Enable

Default
Profile

Figure 12: Resource Synchronization

Step 4: Prepare the Altiris Real-Time Console Infrastructure

(RTCI) profile
Real-time console infrastructure (RCTI) profiles are used to automatically login
using a set credential. The RCTI profile defines the credentials used by
administrators to access a provisioned Intel vPro system. You can define
multiple profiles, with one set credential assigned to the primary profile.

1. To access the real-time console infrastructure profiles, select

ViewSolutionsReal Time Console Infrastructure.
2. Navigate to Configuration  Manage Credential Profiles.
3. Selecting the + sign in the right-hand pane to create a new profile that
enables the Intel AMT settings. Use the Digest user name and password
created in the previous exercise, and set the RTCI profile name as shown in
Figure 13.

www.altiris.com The Process of Provisioning > 45

 Enable Intel® AMT
for the RTCI profile

Enter the
Digest User
and Password

Enter a Profile
Name

Figure 13: enter RTCI profile

4. Once the new RTCI profile has been created, select it as the default profile.
This will be indicated by a green check mark (see Figure 14).

You must now specify the trusted domain and location of the PEM file where
TLS is included in the provision profile.

Select the
profile to set
as default

Figure 14: Make the new profile a default profile.

5. Navigate to Real-Time Console Infrastucture > Configuration >

Configuration.

46 < The Process of Provisioning www.altiris.com

6. Select the Intel AMT Connection Settings tab in the right-hand pane.
7. Ensure the Trusted Domain suffixes and Trusted CA certificate location are
set as shown in Figure 15.

Figure 15. Trusted domain suffixes and CA certificate location

At this point, the basic setup (authentication) settings are in place, but the
Intel vPro systems cannot yet locate the ProvisionServer. A DNS record
needs to be created.
8. Access the Domain Controller virtual machine by selecting the VMware
toolbar at the top of the management console. The right arrow will switch
between virtual machines.
9. Open the Infrastructure Tools.msc Microsoft Management Console Snap-
in.
10. Navigate to the DNS entries for vProdemo.com and create a new entry by
right-clicking on the right window pane
11. Select New Alias (CNAME) and enter the following values (see Figure 16):
Alias Name: ProvisionServer
FQDN: Altiris.vprodemo.com

www.altiris.com The Process of Provisioning > 47

 Figure 16: Enter Alias name

48 < The Process of Provisioning www.altiris.com

12. Make sure the existing DNS record for Altiris is pointing to IP address
192.168.0.30
13. To validate that the entry resolves to the Altiris server, either open a
command window and PING ProvisionServer or return to the Altiris virtual
machine and select the DNS Configuration under the Provisioning menu,
then select the Test button. Both IP addresses will resolve to 192.168.0.30
(see figure 17).

If the two address do

not match
192.168.0.30, STOP
and notify the
instructor

Figure 17: Select Test button

14. If the expected IP address does not appear:

a. Open a command prompt and type IPconfig /flushdns.
b. Try the DNS Configuration Test again. If still experiencing issues,
please notify the instructor. This step must be completed before
continuing.

Step 5: Install the Remote Configuration Certificate

At this point, the DNS of the ProvisionServer matches the Intel SCS IP address.
The Altiris provisioning console is set up, and the Intel vPro PCs are trying to set
up and configure themselves. The errors indicate that matching provisioning
information is missing on the server. You must now install the provisioning
certificate.

www.altiris.com The Process of Provisioning > 49

You must first obtain a provisioning certificate. The service AMTconfig handles
Intel vPro provisioning. Remote configuration requires that a provisioning
certificate be accessible and associated to this account.

The basic sequence of acquiring a certificate includes:

1. Generating a Certificate Signing Request (CSR) from the target s erver.

2. Submitting the request to the issuing Certificate Authority (e.g. VeriSign).
3. Receiving a signed certificate from the Certificate Authority (e.g. CER file).
4. Complete the certificate request to associate the locally stored private key
generated by creating the CSR.
5. Export the completed certificate to PFX format with private key for backup
purposes.
Note
This lab uses the VeriSign certificate PFX file to the Altiris server.
For more information about remote configuration for an Altiris
environment, including acquiring the provisioning certificate, visit
http://juice.altiris.com/node/3866.

Import the Certificate to the Local Computer Certificate Store

Follow these steps to access the personal certificate store and import the
certificate to the local computer certificate store:

1. To identify the AMTconfig service logon account, open the Console.msc

from the Altiris virtual server desktop. Select Services followed by
AMTconfig.
2. Select the Log On tab. The account in this configuration is a domain
account with local administrator privileges. The name of the account is
SCSserviceaccount with a password of P@ssw0rd (see figure 18).

Identify the
service account

Figure 18: Identify service account

3. Access the personal certificate store of the Intel SCS service account by
clicking on MSC for SCSserviceaccount shortcut located on the desktop.
This runs the following command:
runas /u:vprodemo\SCSserviceaccount mmc
4. At the prompt for the account password, enter P@ssw0rd.
50 < The Process of Provisioning www.altiris.com
5. Once the Microsoft Management console has appeared, click Open to open a
predefined MSC from the desktop. This will access the “My User Account”
certificate store (see figure 19).

Figure 19: Open SCS service account

6. Import the remote configuration provisioning certificate by right clicking in

the personal store and select All Tasks  Import (see figure 20).

Figure 20: All Tasks > Import

7. From the certificate wizard, browse to the PFX certificate stored at c:\certs
(see figure 21).
8. If the certificate is not immediate available, ensure the file types is set to
.PFX. Select the second certificate shown –VeriSignCertBackup.pfx.

www.altiris.com The Process of Provisioning > 51

 Figure 21: Select PFX certificate

9. When prompted for a password, use Pr0t3ct!0n. (Note that the „0‟ is a zero
and the „I‟ is an exclamation mark.)
10. Select the Mark this key as Exportable check box and click Next.
11. When prompted to select a certificate store, select Automatically select
the certificate store based on the type of certificate . This will ensure
the intermediate and root certificates are added to the correct certificate
folders within the local computer certificate store.
12. Click Finish to complete the task. You should see a status message
indicating that the import was successful.
13. Press F5 if necessary to refresh the screen and update the display in ord er
to see the newly imported certificates.

Examine the Remote Configuration Provisioning Certificate

Once the certificate has been imported, you should validate that the private key
is present.

1. Double clicking on the certificate vprodemodc.vprodemo.com in order to

validate that the private key is present (see Figure 22).

The first view of the certificate, on the General tab, will include a note at
the bottom that the private key is installed (see Figure 23).

Figure 22: Select the certificate

52 < The Process of Provisioning www.altiris.com

 Figure 23: Verify that private key is installed

2. Select the Certification Path tab. The intermediary and root certificates
are shown (see Figure 24), providing the security chain path from leaf to
root certificate.

(If the intermediary or root certificates are not in the local PC certificate
store, make sure to obtain and load them.)

Figure 24: Check the certification path

3. Double click on the root certificate - VeriSign Class 3 Public Primary CA

to open the certificate.
4. Click on the Details tab.
5. Scroll to the bottom of the listing and select Thumbprint (see Figure 25).
This is the certificate hash. A matching root certificate hash is in the Intel
AMT firmware.

www.altiris.com The Process of Provisioning > 53

 Thumbprint of
the Root
certificate

Figure 25: Check certification path

6. Check the Details tab of the root certificate to make sure the thumbprint
complies with the thumbprint or certificate hash on the Intel vPro system(s).
7. Click OK to close the Certificate dialog.
8. In the Certificate screen that lists the intermediary, root, and leaf
certificates, select the leaf node Intel(R) Client Setup Certificate.
9. Check the Details tab of the Leaf Certificate to make sure the subject
includes a CN with the same DNS domain context, along with an OU equal to
the Intel(R) client setup certificate. Both of these fields, along with the
certificate hash, will be important to the authentication process during
provisioning (see figure 26).

54 < The Process of Provisioning www.altiris.com

 Subject properties
of the Leaf
certificate Figure 26: Check Details

Finish Installing the Certificate

Once you have verified details, you are ready to use LoadCert.exe to finish
installing the certificate.

1. With the certificates added to the appropriate certificate stores, complete

the certificate association process by using the LoadCert.exe utility found
at C:\Program Files\Intel\AMTConfServer\Tools of the Altiris VM.
2. Select Y when prompted (see figure 27). The system will display a list of all
certificates in the local computer certificate store.

www.altiris.com The Process of Provisioning > 55

 Figure 27: Select Y

3. Select the bottom certificate with a Friendly Name (Column Header) of

Intel(R) Client Setup Certificate.
4. Click View Certificate to view the certificate and make sure it is correct
(see figure 28). The dialog below may be minimized at first. You can also
check the tool bar of the VM if the window is not automatically displayed.
With the remote configuration provisioning certificate and provisioning
configuration set, the ProvisionServer is now able to receive and process
requests.

Figure 28: Select Intel vPro PC's setup certificate

56 < The Process of Provisioning www.altiris.com

Complete and Monitor the Provisioning Process

Now that you have set the remote configuration provisioning certificate an d
provisioning configuration, and configured the provisioning service, the
ProvisionServer can receive and process incoming or existing provisioning
requests. This process typically occurs within a few minutes or hours, depending
on task schedules, agent deployments, and other dependencies.

1. Return to the Altiris Provisioning console by select View > Solutions > Out
of Band Management.
2. Navigate to Out of Band Management Configuration  Provisioning 
Logs  Log.
A few additional errors may have appeared, but after a successful
provisioning, the provisioning log will appear similar to Figure 29 . You can
also select Intel AMT systems above, and check system status, which will
now show as Provisioned.

Figure 29: Successful provisioning (provisioning logs)

With the configuration settings in place, the provisioning process is ready. The
Intel vPro PCs (which are ready to initiate configuring and direct their hello
packets) can successfully communicate with the ProvisionServer, and both client
and server can authenticate to each other.

You can also use the Activator utility in a script, or use the Altiris OOBTask
Agent via a defined schedule, or similar methods to help automate this process.

www.altiris.com The Process of Provisioning > 57

Procedure 3:
Unprovisioning Intel AMT (Two Methods)
Remember that you can partially or fully unprovision Intel AMT:

A partial unprovision retains initial security credentials required to

authenticate and establish trust, but erases the configuration profile,
including networking and operational data and custom settings that
integrated Intel AMT with the PC. A partial unprovision returns Intel AMT to
setup state.
A full unprovision removes the configuration profile, networking and
operational MEBx settings, and all security credentials for Intel AMT. A full
unprovision returns Intel AMT to factory-default state.
This lab includes two procedures for unprovisioning Intel AMT on a target PC.
Both are full unprovisions. In the first procedure, you will unprovision Intel AMT
and clean up the management domain so that the PC can be r eprovisioned for
use with any management software. The second procedure shows how to
unprovision the PC while leaving the management domain ready for
reprovisioning using the Intel vPro Activator utility.

Unprovision Intel AMT on the PC, including cleanin g up the management

domain
Unprovision in preparation for reprovisioning using Activator utility

Method 1: Unprovision Intel AMT on the PC

This lab shows how to fully unprovision Intel AMT on one target PC.

1. Double click on the VBscript RTSM Quick View.

2. Enter the hostname of the target Intel vPro PC (see Figure 30) and click OK.

Figure 30. Enter host name of target PC

3. When the Real-Time Systems Manager page appears, select the Real-Time
tab. A screen similar to Figure 31 will appear. This interface is used for one-
to-one client management.

58 < The Process of Provisioning www.altiris.com

 Figure 31. Real-Time one-to-one client management

4. Navigate to Real-Time Consoles > Real-Time System Manager >

Administrative Tasks > Provisioning Mode. The provisioning mode
screen will be displayed (see Figure 32)
Note:
If the selection or option is not shown, then either the client is not
provisioned or the Altiris server is unable to authenticate to Intel
AMT.

Figure 32. Select unprovision method

5. From the Provisioning Mode window, select Full and Enterprise

www.altiris.com The Process of Provisioning > 59

 6. Click Unprovision Now. This will initiate a full unprovision sequence for
Intel AMT on that PC. In the Altiris provisioning console, the entry for Intel
AMT systems will be deleted.
Note:
This function is similar although more powerful than the
unprovision.exe utility in the Intel AMT SDK

7. Close the Real-Time Systems Manager page for the client, and return to the
Altiris Console.
8. From the Out of Band Management solution menu, navigate to
Configuration > Provisioning > Intel® AMT Systems > Profile
Assignments.
9. Select the profile name of the target Intel vPro system (see Figure 33).
10. Click Delete.

Figure 33. Select the profile for the target PC

Remember that, with the remote configuration process, you can reprovision Intel
AMT in a fully remote, automated process, vi a certificates and keys.

Note that agent-initiated remote configuration systems will wait until an agent
requests that provisioning begin before it will allow the Intel vPro PC to
reinitiate the hello packets.

Clean Up the Management Domain

1. From the Altiris console (and on a PC other than the target PC), run the
client cleanup.cmd batch file located at c:\vProClientPreps. This will
remove the Altiris agent, remove the client from the domain, and delete the
custom files located in the target directory.
2. When prompted, press the appropriate key to reboot the target PC.
The Intel vPro PC is now ready to be moved to a new location and reconfigured
for its new purpose.

60 < The Process of Provisioning www.altiris.com

Method 2: Unprovision in Preparation for Reprovisioning Using
Activator Utility
You can also unprovision a PC so that the management domain is ready to use
the Intel vPro Activator utility to reprovision Intel AMT later.

1. From the Altiris console, navigate to Intel® AMT Systems.

2. To delete the defined Profile Assignment, select Profile Assignments (see
Figure 34).

Figure 34

3. Right-click on the name of the target PC and select Delete (see Figure 35).
At the next provisioning event, the Profile Assignment will need to be
defined and will be accomplished via the Intel vPro Activator Utility.

Figure 35

4. In the Profile Assignments screen, right-click on the target system and

select UnProvision.
5. When prompted, select Full UnProvision and all systems you want to
unprovision.
6. If necessary, select Logs to confirm that the unprovisioning process
completed successfully.

www.altiris.com The Process of Provisioning > 61

Procedure 4:
Active Directory Extension through Altiris
You must enable integration into the Microsoft Active Directory if you want to
use Kerberos and 802.1x; otherwise both options will be disabled. As part of the
integration, the directory schema will be extended to support iAMTobjects. In
addition, a specific directory organizational unit (OU) must be defined, the
AMTconfig service logon account must have administrative access to create and
modify directory objects, and the target Intel vPro PC must be joined and have
an existing computer object in the associated Active Directory domain.

Extending the AD schema follows three general steps:

Step 1: Extend the AD schema

Step 2: Configure Kerberos
Step 3: Create Kerberos profile

Step 1: Extend the AD Schema

Follow these steps to extend the Active Directory schema.

1. Access the Altiris Provisioning console by selecting View > Solutions > Out
of Band Management.
2. Navigate to Configuration > Provisioning > General.
3. At the General setting page, check the Integrate with Active Directory check
box. Blue text will appear next to this option: Extend the Active Directory
Schema (see Figure 36).
4. Select Extend Active Directory schema…

Figure 36: Select Integrate with Active Directory

62 < The Process of Provisioning www.altiris.com

5. When prompted, enter the administrator user name and password (see
Figure 37)
Username: administrator
Password: P@ssw0rd

Figure 37: Select Extend

6. Click Extend. A log will appear that shows a summary of the schema
extensions that were made, and whether the extension was successfully
completed (see Figure 38).
7. Click Close to close the window.

www.altiris.com The Process of Provisioning > 63

 Figure 38: Schema Extension log

8. In the General Service Settings pane, select Apply to apply the extension of
the AD schema (see Figure 39).

64 < The Process of Provisioning www.altiris.com

 Figure 39: Select Apply

Step 2: Configure Kerberos

Once the AD schema has been extended, you are ready to setup and provision
the PC to support Kerberos authentication to an Intel AMT object.

1. Open Internet Explorer.

2. Select IE Tools > Internet Options.
3. Select the Advanced tab.
4. Scroll down to the Security section (see Figure 40).

www.altiris.com The Process of Provisioning > 65

 Figure 40: Enable Integrated Windows Authentication

5. Check the checkbox for Enable Integrated Windows Authentication (requires

restart).
6. When prompted to reboot the system, click OK.
Note that the PC must be rebooted to activate Kerberos authentication.

You are now ready to create the Kerberos profile.

Step 3: Create Kerberos Profile

After the system is rebooted, you must create a Kerberos Profile:

1. In Altiris, navigate to View > Solutions > Out of Band Management.

Navigate to Provisioning > Configuration Service Settings >
Provision Profiles.
2. Select the blue + sign to add a new profile (see figure 41).

66 < The Process of Provisioning www.altiris.com

 Figure 41: Select Add

3. Select the ACL tab (see Figure 42).

4. Click Add to add a new profile.

Figure 42: Select Add

www.altiris.com The Process of Provisioning > 67

 5. Select Kerberos User, then select Browse (see Figure 43).

Figure 43: Select Browse

6. Click Browse to identify the target Active Directory user or group. A new
screen will appear similar to Figure 44.

Figure 442: Select Find

68 < The Process of Provisioning www.altiris.com

7. From the Select Users or Groups screen, enter Domain User in the Name
Query
8. Click Find.
9. Select the profile that fits the user and click OK to return to the Add ACL
Entry windows.
10. In the Add ACL Entry screen, set the Access Permissions to Any (see Figure
45).

Figure 45: Select Realms

11. Select the Realms for the features you want the user to be able to access.
12. Click OK to apply the changes.

www.altiris.com The Process of Provisioning > 69

 13. Select OK to save the new profile (see Figure 46).

Figure 46: Select OK

The Kerberos profile is now enabled and can be applied to systems with Active
Directories extended (see Figure 47).

Figure 47: Profile now enabled

70 < The Process of Provisioning www.altiris.com

Procedure 5:
Setting up TLS Certificates
TLS allows Intel AMT to communicate securely with the SCS. After provisioning,
TLS is used to secure the Intel AMT communication channel for remote
management of the PC.

Note:
This procedure requires that a Microsoft Windows 2003 Certificate
Authority be defined for the provisioning service to issue
certificates on behalf of the PC clients.

Setting up a TLS certificate follows two general steps:

Step 1: Set up the Certificate

Step 2: Verify that the Provisioning Service Is Requesting Certificates

Step 1: Set up the Certificate

To provide TLS to a profile, follow these steps:

1. Navigate to View > Solutions > Out of Band Management.

2. Navigate to Configuration > Provisioning > Configuration Service
Settings > Provision Profiles.
3. In the right pane, right-click a profile and click Edit (see Figure 48).

Figure 48: Select Edit

www.altiris.com The Process of Provisioning > 71

 4. Select the TLS tab (see Figure 49).

Figure 49: TLS tab

5. Select Use TLS to enable TLS.

6. Check the radio buttons for local and network interfaces for TLS Server
Authentication.

72 < The Process of Provisioning www.altiris.com

7. Click the ... (browse) button at the right side of the Server Certificate field.
The system will display a listing of available certi ficates (see
Figure 50).

Figure 50: Select Edit or the add icon

8. Right-click the certificate profile and Click Edit in the drop-down menu, or
select the blue Add icon to add a new certificate profile.
9. In the Edit Certificate Generation Properties window, click ... (browse)
to choose the certificate host name and/or the template.
10. In the Type dropdown click Enterprise.
11. Click OK to edit or generate the certificate profile (see figure 51).

www.altiris.com The Process of Provisioning > 73

 Figure 51: Generate or Edit a TLS certificate

12. Click OK to accept the generated certificate (see figure 47).

13. Click OK in the TLS tab to finish generating the TLS certificate (see Figure
52).

Figure 52: Select OK.

Step 2: Verify that the Provisioning Service Is Requesting

Certificates
1. From the Altiris Provisioning console, navigate to Intel AMT systems
2. Right click on the Provisioned system and select ReProvision

Figure 53: Select re-provision to access provisioning logs.

74 < The Process of Provisioning www.altiris.com

3. Select the provisioning logs.
4. Scroll to the entry starting with Retrieving Certificates (see Figure 54).
This validates that the provisioning service is requesting certificates on
behalf of the clients

Figure 54: Verify that certificates are being requested.

Intel vPro PCs with this profile can now be configured to accept and run TLS
certificates.

www.altiris.com The Process of Provisioning > 75

FOR MORE INFORMATION
These reference documents, articles, and discussions may be of interest:

Intel® SCS website with user guide -

http://softwarecommunity.intel.com/articles/eng/1025.htm
Options and core criteria for provisioning Intel® vPro™ -
http://juice.altiris.com/node/4480
Post-Deployment Series - http://juice.altiris.com/node/4636
Series on using Altiris Out-of-Band Management in a multiple Notification
Server environment - http://juice.altiris.com/node/3771
Series on troubleshooting Altiris Manageability Tooklit -
http://juice.altiris.com/node/3699
Discussion on managing Intel® vPro™ client that were already provisioned -
http://communities.intel.com/thread/1676

76 < The Process of Provisioning www.altiris.com